Pretty Advanced New Stuff from CCG Consulting

Main menu

Tag Archives: FTC

Over 200 of the largest companies in the country are proposing a new set of national privacy laws that would apply to large companies nationwide. They are pushing to have this considered by the upcoming Congress.

The coalition includes some of the largest companies in Silicon Valley like Apple and Oracle, but it doesn’t include the big three of Facebook, Google and Amazon. Among the other big businesses included the group are the largest banks like Bank of America and Wells Fargo, big carriers like AT&T and big retailers like Walmart.

As you might expect, a proposed law coming from the large corporations would be favorable to them. They are proposing the following:

Eliminate Conflicting Regulations. They want one federal set of standards. States currently have developed different standards for privacy and for issues like defining sensitive information. There are also differing standards by industry such as for medical, banking and general corporations;

Self-regulation. The group wants the government to define the requirements that must be met but don’t want specific methodologies or processes mandated. They argue that there is a history of government technical standards being obsolete before they are published;

Companies Can Determine Interface with Consumers. The big companies want to decide how much rights to give to their customers. They don’t want mandates for defining how customer data can be used or for requiring consumer consent to use data. They don’t want mandates giving consumers the right to access, change or delete their data;

National Standard for Breach Notification. They want federal, rather than differing state rules on how and when a corporation must notify customers if their data has been breached by hackers;

Put the FTC in Charge of these Issues. They want the FTC to enforce these laws rather than State Attorney Generals;

Wants the Laws to Only Apply to Large Corporations. They don’t want rigid new requirements on small businesses that don’t process much personal data.

There are several reasons big companies are pushing for legislation. There are currently different privacy standards around the country due to actions brought by various State Attorney Generals and they’d like to see one federal standard. But like most laws the primary driver behind this legislation is monetary. Corporations are seeing some huge hits to the bottom line as a result of data breaches and they hope that having national rules will provide a shield against damages – they hope that a company that is meeting federal standards would be shielded from large lawsuits after data breaches.

I look at this legislation both as a consumer and as somebody working in the small carrier industry. With my consumer hat on there are both good and bad aspects of the proposed rules. On the positive side a set of federal regulations ought to be in place for a complex issue that affects so many different industries. For example, it is hard for a corporation to know what to do about a data breach if they have to satisfy differing rules by state.

But the negatives are huge from a consumer perspective. It’s typical political obfuscation to call this a privacy law because it doesn’t provide any extra privacy for consumers. Instead it would let each corporation decide what they want to disclose to the public and how companies use consumer data. A better name for the plan might be the Data Breach Lawsuit Protections Act.

There are also pros and cons for this for small carriers. I think all of my clients would agree that we don’t need a new set of regulations and obligations for small carriers, so small carriers will favor the concept of excusing smaller companies from some aspect of regulations.

However, all ISPs are damaged if the public comes to distrust ISPs because of the behavior of the largest ISPs. Small ISPs already provide consumer privacy. I’ve never heard of a small ISP that monitors customer data, let alone one that is trying to monetize their customers’ data. Small ISPs are already affording significant privacy rights to customers compared to the practices of AT&T, Verizon or Comcast who clearly view customer data as a valuable asset to be exploited rather than something to protect. The ISP industry as a whole would benefit by having rules that foster greater customer trust.

I’m not sure, however, that many small ISPs would automatically notify customers after a data breach – it’s a hard question for every corporation to deal with. I think customers would trust us more if there were clear rules about what to do in the case of a breach. This proposed law reminds me that this is something we should already be talking about because every ISP is vulnerable to hacking. Every ISP ought to be having this conversation now to develop a policy on data breaches – and we ought to tell our customers our plans. Small ISPs shouldn’t need a law to remind us that our customers want to trust us.

Like this:

NCTA, the lobbying group for the big cable companies filed a pleading with the Federal Trade Commission (FTC) asking the agency to not get involved with regulating the broadband industry. When the FCC killed net neutrality, Chairman Ajit Pai promised that it was okay for the FCC to step away from broadband regulation since the FTC was going to take over much of the regulatory role. Now, a month after net neutrality went into effect we have the big cable ISPs arguing that the FTC should have a limited role in regulation broadband. The NTCA comments were filed in a docket that asks how the FTC should handle the regulatory role handed to them by the FCC.

Pai’s claim was weak from the outset because of the nature of the way that the FTC regulates. They basically pursue corporations of all kinds that violate federal trade rules or who abuse the general public. For example, the FTC went after AT&T for throttling customers who had purchased unlimited data plans. However, FTC rulings don’t carry the same weight as FCC orders. Rulings are specific to the company under investigation. Rulings might lead other companies to modify their behavior, but an FTC order doesn’t create a legal precedent that automatically applies to all carriers. In contrast, FCC rulings can be made to apply to the whole industry and rulings can change the regulations for every ISP.

The NCTA petition asks the FTC to not pursue complaints about regulatory complaints against ISPs. For example, they argue that the agency shouldn’t be singling out ISPs for unique regulatory burdens, but should instead pursue the large Internet providers like Facebook and Google. The NCTA claims that market forces will prevent bad behavior by ISP and will punish a carrier that abuses its customers. They claim there is sufficient competition for cable broadband, such as from DSL, that customers will leave an ISP that is behaving poorly. In a world where they have demolished DSL and where cable is a virtual monopoly in most markets they really made that argument! We have a long history in the industry that says otherwise, and even when regulated by the FCC there are long laundry lists of ways that carriers have mistreated their customers.

One of the more interesting requests is that the ISPs want the FTC to preempt state and local rules that try to regulate them. I am sure this is due to vigorous activity at the state level currently to create rules for net neutrality and privacy regulations. They want the FTC to issue guidelines to state Attorney Generals and state consumer protection agencies to remind them that broadband is regulated only at the federal level. It’s an interesting argument to make after the FCC has punted on regulating broadband and when this filing is asking the FTC to do the same. The ISPs want the FTC to leave them alone while asking the agency to act as the watchdog to stop others from trying to regulate the industry.

I think this pleading was inevitable since the big ISPs are trying to take full advantage of the FCC walking away from broadband regulation. The ISPs view this as an opportunity to kill regulation everywhere. At best the FTC would be a weak regulator of broadband, but the ISPs don’t want any scrutiny of the way they treat their customers.

The history of telecom regulation has always been in what I call waves. Over time the amount of regulations build up to a point where companies can make a valid claim of being over-regulated. Over-regulation can then be relieved either by Congress or by a business-friendly FCC who loosens regulatory constraints. But when regulations get too lax the big carriers inevitably break enough rules that attracts an increase of new regulation.

We are certainly hitting the bottom of a trough of a regulatory wave as regulations are being eliminated or ignored. Over time the large monopolies in the industry will do what monopolies always do. They will take advantage of this period of light regulation and will abuse customers in various ways and invite new regulations. My bet is that customer privacy will be the issue that will start the climb back to the top of the regulatory wave. The ISPs argument that market forces will force good behavior on their part is pretty laughable to anybody who has watched the big carriers over the years.

Like this:

When the FCC wrote themselves out of the regulation of broadband, one of the primary arguments made by Chairman Ajit Pai was that the Federal Trade Commission (FTC) would still be empowered to step in to stop any ISP abuses of broadband customers. The FTC has the general mandate to stop large corporations from engaging in unfair or abusive practices and Pai’s argument was made that ISPs are no different than other large corporations and that FTC oversight is sufficient.

There are several reasons why this argument is full of holes and the FTC cannot be an adequate replacement for the FCC. First, the FTC is not structured to regulate monopolies. We are now watching cable companies become a virtual broadband monopoly for residential service in most markets. The FCC loves to point out that there is still usually a telco DSL option, but when Comcast increases minimum broadband speeds to 150 Mbps while DSL is at a small fraction of that speed, then cable broadband and DSL are no longer equivalent services. The cable companies are winning the broadband war and becoming broadband monopolies as DSL disappears from the conversation.

One of the natural roles of government is to regulate monopolies. FERC heavily regulates local electric companies. The FCC was originally created to deal with the monopoly power that the old Ma Bell held over 95% of the country’s telephony needs. The government regulates industries where a few players hold all of the power like airlines and banks.

The government has always dealt with monopolies in one of two ways – regulate them to curtail abuse of monopoly power or else break up the monopolies up to create competition. The government forced the divestiture of the Bell System when it became apparent that their continued existence was a natural barrier to competition. It seems ironic that the FCC would wash its hands of regulating broadband at the point in time when cable companies are becoming classic monopolies.

The other primary reason that the FTC cannot regulate broadband is that they regulate purely by exception. The agency is empowered to pursue specific abuses by a specific corporation and can require and fine a given company for bad behavior. This puts the FTC in the role of corporate policeman – they can go after an ISP for a bad business practice but that doesn’t directly prohibit other ISPs from engaging in the same behavior. The FTC’s powers are pale compared to the ability of a regulatory agency like the FCC to make a ruling that instantly applies to every ISP in the industry. Ajit Pai’s argument that the FTC can take the FCC’s place is faulty because policing is not regulating.

As weak as the FTC’s power is over regulating broadband there is a chance they will lose even that ability. The FTC sued AT&T in 2014 because the company throttled data usage by unlimited customers to try to get them to drop their unlimited data plans. AT&T challenged that lawsuit and argued that the FTC had no authority over the company. Recall that this was at a time when the FCC still claimed jurisdiction over broadband issues.

The US District Court of Northern California recently ruled against AT&T in favor of the FTC. AT&T has until May 29 to appeal that ruling to the Supreme Court. If the company appeals, it will be to directly ask the Supreme Court if the FTC has jurisdiction over them. A ruling in AT&T’s favor would remove the last vestige of broadband regulation and would make broadband a completely unregulated industry.

It’s not hard to imagine how a truly unfettered broadband industry would react over time if not regulated. We will see big price increases, data caps, the free use and abuse of customer personal data and a violation of all of the principles of net neutrality. This would push broadband in the wrong direction by making it too expensive for many households while degrading the online experience for all broadband customers. The Internet as we know it can be broken if the ISPs are allowed to ignore customers and answer only to Wall Street.

We are already near to this point even if the AT&T suit against the FTC doesn’t conclude with an AT&T victory at the Supreme Court. After the FCC washed their hand of broadband regulation we now have the only regulation of the industry being the FTC which can tackle bad behavior at a single ISP on a single topic. Mass bad behavior by all of the big ISPs will quickly swamp the FTC, and within a few years the higher prices and bad ISP behavior will likely become the industry norm.

The fact that only a few companies own the wires of the broadband network makes this industry a natural monopoly just like electricity, water and natural gas delivery. Nobody likes to be regulated and I can’t even fully believe I am advocating for more regulation. Even before the FCC withdrew from broadband regulation it was one of the mostly lightly regulated monopoly industries in the country. Big ISPs have always fought against being regulated, but I don’t think even they thought that all broadband regulation would be removed in one fell swoop. We are going to have to somehow put regulations back in place or watch our industry go down a very ugly path.

Like this:

We now know how states are going to react to the end of net neutrality. There are several different responses so far. First, a coalition of 23 states filed a lawsuit challenging the FCC’s ability to eliminate net neutrality and Title II regulation of broadband. The lawsuit is mostly driven by blue states, but there are red states included like Mississippi and Kentucky.

The lawsuit argues that the FCC has exceeded its authority in eliminating net neutrality. The lawsuit makes several claims:

The suit claims that under the Administrative Procedure Act (ACA) the FCC can’t make “arbitrary and capricious” changes to existing policies. The FCC has defended net neutrality for over a decade and the claim is that the FCC’s ruling fails to provide enough justification for abandoning the existing policy.

The suit claims that the FCC ignored the significant public record filed in the case that details the potential harm to consumers from ending net neutrality.

The suit claims that the FCC exceeded its authority by reclassifying broadband service as a Title I information service rather than as a Title II telecommunications service.

Finally, the suit claims that the FCC ruling improperly preempts state and local laws.

Like with past challenges of major FCC rulings, one would expect this suit to go through at least several levels of courts, perhaps even to the supreme court. It’s likely that the loser of the first ruling will appeal. This process is likely to take a year or longer. Generally, the first court to hear the case will determine quickly if some or all of the FCC’s ruling net neutrality order will be stayed until resolution of the lawsuit.

I lamented in a recent blog how partisan this and other FCCs have gotten. It would be a positive thing for FCC regulation in general if the courts put some cap on the ability of the FCC to create new policy without considering existing policies and the public record about the harm that can be caused by a shift in policy. Otherwise we face having this and future FCCs constantly changing the rules every time we get a new administration – and that’s not healthy for the industry.

A second tactic being used by states is to implement a state law that effectively implements net neutrality at the state level. The states of New York, New Jersey and Montana have passed laws that basically mimic the old FCC net neutrality rules at the state level. It’s an interesting tactic and will trigger a lawsuit about state rights if challenged (and I have to imagine that somebody will challenge these laws). I’ve read a few lawyers who opine that this tactic has some legs since the FCC largely walked away from regulating broadband, and in doing so might have accidentally opened up the door for the states to regulate the issue. If these laws hold up that would mean a hodgepodge of net neutrality rules by state – something that benefits nobody.

Another tactic being taken is for states, and even a few cities, to pass laws that change the purchasing rules so that any carrier that bids for government telecom business must adhere to net neutrality. This is an interesting tactic and I haven’t seen anybody that thinks this is not allowed. Governments have wide latitude in deciding the rules for purchasing goods and services and there are already many similar restrictions that states put onto purchasing. The only problem with this tactic is going to be if eventually all of the major carriers violate the old net neutrality rules. That could leave a state with poor or no good choice of telecom providers.

As usual, California is taking a slightly different tactic. They want to require that carriers must adhere to net neutrality if they use state-owned telecom facilities or facilities that were funded by the state. Over the years California has built fiber of its own and also given out grants for carriers to build broadband networks. This includes a recently announced grant program that is likely to go largely to Frontier and CenturyLink. If this law is upheld it could cause major problems for carriers that have taken state money in the past.

It’s likely that there are going to be numerous lawsuits challenging different aspects of the various attempts by states to protect net neutrality. And there are likely to also be new tactics tried by states during the coming year to further muddy the picture. It’s not unusual for the courts to finally decide the legitimacy of major FCC decisions. But there are so many different tactics being used here that we are likely to get conflicting rulings from different courts. It’s clearly going to take some time for this to all settle out.

One interesting aspect of all of this is how the FCC will react if their cancellation of net neutrality is put on hold by the courts. If that happens it means that some or all of net neutrality will still be the law of the land. The FCC always has the option to enforce or not enforce the rules, so you’d suspect that they wouldn’t do much about ISPs that violate the spirit of the rules. But more importantly, the FCC is walking away from regulating broadband as part of killing Title II regulation. They are actively shuttling some regulatory authority to the FTC for issues like privacy. It seems to me that this wouldn’t be allowed until the end of the various lawsuits. I think the one thing we can count on is that this is going to be a messy regulatory year for broadband.

Like this:

The recent ruling earlier this week by the US Court of Appeals for the 9th Circuit highlights the current weak state of regulations over broadband. The case is one that’s been around for years and stems from AT&T’s attempt to drive customers off of their original unlimited cellphone data plans. AT&T began throttling unlimited customers when they reached some unpublished threshold of data use, in some cases as small as 2 GB in a month. AT&T then lied to the FCC about the practice when they inquired. This case allows the FTC suit against AT&T to continue.

The ruling demonstrates that the FTC has some limited jurisdiction over common carriers like AT&T. However, the clincher came when the court ruled that the FTC only has jurisdiction over issues where the carriers aren’t engaging in common-carrier services. This particular case involves AT&T not delivering a product they promised to customers and thus falls under FTC jurisdiction. But the court made it clear that future cases that involve direct common carrier functions, such as abuse of net neutrality would not fall under the FTC.

This case clarifies the limited FTCs jurisdiction over ISPs and contradicts the FCC’s statements that the FTC is going to be able to step in and take their place on most matters involving broadband. The court has made it clear that is not the case. FCC Chairman Ajit Pai praised this court ruling and cited it as a good example of how the transition of jurisdiction to the FTC is going to work as promised. But in looking at the details of the ruling, that is not true.

This court ruling makes it clear that there is no regulatory body now in charge of direct common carrier issues. For instance, if Netflix and one of the ISPs get into a big fight about paid prioritization there would be nowhere for Netflix to turn. The FCC would refuse to hear the case. The FTC wouldn’t be able to take the case since it involves a common carrier issue. And while a court might take the case, they would have no basis on which to make a ruling. As long as the ISP didn’t break any other kinds of laws, such as reneging on a contract, a court would have no legal basis on which to rule for or against the ISPs behavior.

That means not only that broadband is now unregulated, it also means that there is no place for some body to complain against abuse by ISPs until the point where that abuse violates some existing law. That is the purest definition of limbo that I can think of for the industry.

To make matters worse, even this jumbled state of regulation is likely to more muddled soon by the courts involved in the various net neutrality suits. Numerous states have sued the FCC for various reasons, and if past practice holds, the courts are liable to put some or all of the FCC’s net neutrality decision on hold.

It’s hard to fathom what that might mean. For example, if the courts were to put the FCC’s decision to cancel Title II regulation on hold, then that would mean that Title II regulation would still be the law of the land until the net neutrality lawsuits are finally settled. But this FCC has made it clear that they don’t want to regulate broadband and they would likely ignore such a ruling in practice. The Commission has always had the authority to pick and choose cases it will accept and I’m picturing that they would refuse to accept cases that relied on their Title II regulation authority.

That would be even muddier for the industry than today’s situation. Back to the Netflix example, if Title II regulation was back in effect and yet the FCC refused to pursue a complaint from Netflix, then Netflix would likely be precluded from trying to take the issue to court. The Netflix complaint would just sit unanswered at the FCC, giving Netflix no possible remedy, or even a hearing about their issues.

The real issue that is gumming up broadband regulation is not the end of Title II regulation. The move to Title II regulation just became effective with the recent net neutrality decision and the FCCs before that had no problem tackling broadband issues. The real problem is that this FCC is washing their hands of broadband regulation, and supposedly tossed that authority to the FTC – something the court just made clear can’t work in the majority of cases.

This FCC has shown that there is a flaw in their mandate from Congress in that they feel they are not obligated to regulate broadband. So I guess the only fix will be if Congress makes the FCC’s jurisdiction, or lack of jurisdiction clear. Otherwise, we couldn’t even trust a future FCC to reverse course, because it’s now clear that the decision to regulate or not regulate broadband is up to the FCC and nobody else. The absolute worst long-term outcome would be future FCCs regulating or not regulating depending upon changes in the administration.

My guess is that AT&T and the other big ISPs are going to eventually come to regret where they have pushed this FCC. There are going to be future disputes between carriers and the ISPs are going to find that the FCC can not help them just like they can’t help anybody complaining against them. That’s a void that is going to serve this industry poorly.

Like this:

The FCC voted last Thursday to reverse the Net Neutrality order that had been put into place by the previous Tom Wheeler FCC. This action eliminates the use of Title II to regulate broadband. In order to get rid of Title II authority the FCC believes it has to relinquish some of its regulatory role today and to move certain regulatory functions to the Federal Trade Commission. To effectuate this shift the two Commissions have agreed to a Memorandum of Understanding (MOU) that defines the ongoing regulatory and enforcement responsibility of each agency related to broadband.

The Federal Trade Commission will renew investigating ISPs as they do other large businesses in the country. They will investigate complaints made against the companies for practices that the agency deems to be unfair or deceptive. The agency has undertaken this kind of investigation in the past and has cited and fined a few big ISPs for various deceptive pricing and billing practices. In this role the FTC could elect to tackle topics that were part of net neutrality such as anticompetitive blocking of Internet traffic, throttling customer broadband or paid prioritization practices. While the three legs of net neutrality would not explicitly be part of the FTCs responsibilities, they should be free to investigate practices that harm the public. The FTC would also take back jurisdiction over ISP privacy practices.

It appears that dropping the Title II regulatory regime allows the FTC to again regulate ISPs. Since the FCC approved Title II regulation, the big ISPs have argued that the FTC is prohibited by its charter to regulate common carriers. But since broadband providers are no longer considered to be common carriers it would seem to open the door to the FTC again.

The big difference in a shift to FTC regulation is that anything they do is done retroactively. They look at consumer complaints and then prosecute the worst abuses they find in multiple industries. But their rules often come years after abuse by companies and their rulings only generally affect one company at a time. Other ISPs might shift behavior due to an FTC enforcement action, but they are not required to do so. This is a drastic change from having a set of proactive regulations in rules in place that define acceptable ISP behavior.

The FCC will be giving up most regulatory oversight of broadband. There are still a few broadband rules that fall under FCC jurisdiction. For example, there are still rules in place that require ISPs to disclose information about their products, data speeds, etc., to customers. The FCC will still be monitoring and regulating these notices. There are also regulations that will remain in place because they were put in place by laws that can’t be reversed by the FCC. As an example, the FCC will still oversee CALEA compliance, where ISPs are required to provide access to broadband records to law enforcement.

Probably the biggest regulatory gray area left is cellular broadband. While broadband in general is now largely unregulated there are still numerous regulations about cellular service that remain in place. We’ll have to see how the FCC deals with any conflicts between old cellular rules and their desire to unregulated broadband.

To a large extent there will be little regulation of broadband and it is now an unregulated business line. This is a bit ironic in that broadband has grown to become the most important telecommunications product, while the many regulations on the waning product lines of telephone and cable TV still remain in place.

The FCC acknowledges that its technical staff best understands the ISP industry and has promised in the MOU to make FCC staff available to the FTC as needed. It will be interesting to see how that works in practice since some of the FTC investigations drag on for years. I foresee budgetary issues making major collaboration impractical.

The bottom line is that this MOU makes it clear that broadband is largely deregulated. The FTC can step in and punish ISPs that engage in fraudulent and unfair practices. But otherwise nobody will be monitoring or enforcing any regulations on broadband.

Like this:

We have reached a point in the industry where it’s unclear who regulates broadband. I think a good argument can be made that nobody is regulating broadband issues related to the big ISPs.

Perhaps the best evidence of this is a case that is now in Ninth Circuit Court of Appeals in San Francisco. This case involves a 2014 complaint against AT&T by the Federal Trade Commission based on the way that AT&T throttled unlimited wireless data customers. The issue got a lot of press at the time when AT&T started restricting data usage in 2011 for customers when they hit some arbitrary (and unpublished) data threshold in a month. Customers got shuttled back to 3G and even 2G data speeds and basically lost the ability to use their data plans. The press and the FTC saw this as an attempt by AT&T to drive customers off their grandfathered unlimited data plans (which were clearly not unlimited).

AT&T had argued at the FTC that they needed to throttle customers who use too much data as a way to manage and protect the integrity of their networks. The FTC didn’t buy this argument ruled against AT&T. As they almost always do the company appealed the decision. The District Court in California affirmed the lower court ruling and AT&T appealed again, which is the current case in front of the Ninth Circuit. AT&T is making some interesting claims in the case and is arguing that the Federal Trade Commission rules don’t allow the FTC to regulate common carriers.

There are FTC rules called the ‘common carrier exemption’ that were established in Part 5 of the original FTC Act that created the agency. These exemptions are in place to recognize that telecom common carriers are regulated instead by the FCC. There are similar carve-outs in the FTC rules for other industries that are regulated in part by other federal agencies.

The common carrier exemption doesn’t relieve AT&T and other telecom carriers from all FTC regulation – it just means that the FTC can’t intercede in areas where the FCC has clear jurisdiction. But any practices of telecom carriers that are not specifically regulated by the FCC then fall under FTC regulations since the agency is tasked in general with regulating all large corporations.

AT&T is making an interesting argument in this appeals case. They argue since they are now deemed to be a common carrier for their data business under the Title II rules implemented in the net neutrality order that they should be free of all FTC oversight.

But there is an interesting twist to this case because the current FCC filed an amicus brief in the appeal saying that they think that the FTC has jurisdiction over some aspects of the broadband business such as privacy and data security issues. It is this FCC position that creates uncertainty about who actually regulates broadband.

We know this current FCC wants to reverse the net neutrality order, and so they are unwilling right now to tackle any major issues that arise from those rules. In this particular case AT&T’s throttling of customers occurred before the net neutrality decision and at that time the FCC would not have been regulating cellular broadband practices.

But now that the FCC is considered to be a common carrier it’s pretty clear that the topic is something that the FCC has jurisdiction of today. But we have an FCC that is extremely reluctant to take on this issue because it would give legitimacy to the net neutrality rules they want to eliminate.

The FCC’s position in this case leads me to the conclusion that, for all practical purposes, companies like AT&T aren’t regulated at all for broadband issues. The prior FCC made broadband a common carrier service and gave themselves the obligation to regulate broadband and to tackle issues like the one in this case. But the new FCC doesn’t want to assert that authority and even goes so far as to argue that many broadband related issues ought to be regulated by the FTC.

This particular case gets a little further muddled by the timing since AT&T’s practices predate Title II regulation – but the issue at the heart of the case is who regulates the big ISPs. The answer seems to be nobody. The FCC won’t tackle the issue and AT&T may be right that the FTC is now prohibited from doing so. This has to be a huge challenge for a court because they are now being asked who is responsible for regulating the case in front of them. That opens up all sorts of possible problems. For example, what happens if the court rules that the FCC must decide this particular case but the agency refuses to do so? And of course, while this wrangling between agencies and the courts is being settled it seems that nobody is regulating AT&T and other broadband providers.

Like this:

Protecting customer data has been in the news a lot recently and today I’m going to discuss two different news stories concerning the privacy of customer data.

The first story involves a case that will be decided soon by the U.S. Supreme Court. The case, Carpenter vs. United States, is contemplating the rules of how the government can access historical cellphone call records (and one assumes all other telecom records for calls and emails).

Without discussing all of the details of the case, the short version is that police had asked MetroPCS for the complete cellphone records of sixteen people suspected of robbing cellphone stores. MetroPCS supplied the details of all of the calls to and from each suspected cellphone as well as information about the location of the cell sites servicing each phone during the duration of the calls. The legal question being asked is if this represented a warrantless search and specifically as asked by government attorneys, “Whether the government’s acquisition, pursuant to a court order issued under 18 U.S.C. 2703(d), of historical cell-site records created and maintained by a cellular-service provider violates the Fourth Amendment rights of the individual customer to whom the records pertain.”

Recently fourteen companies including Google, Apple, Facebook, and Microsoft filed an amicus brief in the case that argues that the government is relying on outdated privacy laws from the 1970s that allow for the government to ask for telephone records without a warrant. Interestingly, Verizon joined in this argument.

Most small carriers are aware of this issue by the fact that local police often ask them for call records without a warrant. I can’t recall a time when a telco hasn’t responded to such requests, but I’ve talked to many companies who are often uncomfortable with the process. The fourteen companies get similar requests for call records but also for email records, web search results and other kinds of customer information. They argue that such requests should only be made with a warrant that reflects some level of probable cause. Court experts are calling this the biggest Fourth Amendment case in years because it’s going to consider the issues involved with the search for digital records.

The second news story is a different take on privacy. The Electronic Privacy Information Center (EPIC) has asked the Federal Trade Commission (FTC) to investigate how Google tracks customers. Specifically they say that Google analyzes credit card data to understand the in-store shopping habits of customers. They then sell this data to retailers. EPIC is asking the FTC to investigate the actual practices being deployed as well as to provide some sort of mechanism for people to opt out of this kind of tracking program.

If the FCC takes up this investigation it could also be groundbreaking. This case is the first specific case that asks the government to create some boundaries for such tracking and to allow people to opt out of being tracked.

There are many other companies other than Google who are now using ‘big data’ to compile detailed profiles of people. These profiles are being marketed to vendors of products and services, but there is a great fear among privacy advocates that these same profiles can be used for nefarious purposes by governments and others. For instance, scam artists would probably love to know the identity of every household in the country that has somebody suffering from early-stage dementia.

Anybody that is getting involved in selling smart home products needs to be concerned about these issues. Recently researchers Ming Jin, Ruoxi Jia and Costas Spanos of the University of California at Berkeley examined some routine data collected by smart electric meters and were surprised at how much they were able to figure out about the occupants of a home using the data. For example, they were able to understand the patterns of when homes were occupied and unoccupied and were fairly easily able to tell when a given residence was unoccupied.

As we get more smart devices in homes the combination of the data collected by the various devices will be able to paint a detailed picture of the occupants of a home. This case could be the first step towards defining customer rights for control of their personal data.

Like this:

Last week Chairman Ajit Pai halted the impending implementation of the new privacy rules that were to stop the big ISPs from monetizing customer data without customer permission. The Chairman’s stated reason is that he didn’t want to see different rules applied to the big ISPs than to big web companies like Facebook and Google. That argument sounds like a valid reason, but as you will see below, there is no easy path towards treating all of these companies the same.

The stay applied to FCC rules covering a wide variety of privacy issues. The rules were to require the big ISPs to get customer permission to use their data. The rules also created specific security requirements at the ISPs defining how ISPs have to protect customer data and how and when they had to disclose data breaches to customers.

So here is where the confusion starts. The FCC clearly has no authority to regulate the web and what it calls edge-providers – companies like Facebook and Google. It would take an Act of Congress to give the FCC any authority to regulate the web – something that neither Democratic nor Republican administrations have had an appetite for.

Chairman Pai did suggest that perhaps the easiest solution is to hand ISP security issues to the Federal Trade Commission. But the new head of the FTC said this the agency would have no authority to regulate ISPs as long as Title II authority gives this authority to the FCC. So perhaps this action is an indicator that Chairman Pai intends to reverse Title II regulation. He’s said that he is against net neutrality and the FCC used the tool of Title II regulation to implement it. So killing Title II regulations would also get rid of net neutrality.

But what is not being talked about is that the FTC has never contemplated privacy rules as sweeping as the ones implemented by the FCC. The FTC already could impose these rules on Facebook, Google and everybody else on the web, but has never taken any serious steps towards doing so.

Because of that, halting the privacy rules feels like Chairman Pai is just letting the big ISPs off the hook. The big ISPs have been lobbying against these rules from the second they were passed. The ISPs are jealous of the giant revenues that the web companies are making from data mining of consumer data. And the ISPs want to protect what they’ve already been doing. It’s been well known, for example, that AT&T has been monetizing customer data. The leaks from Edward Snowden showed that AT&T has been supplying far more data to the NSA than is required by the Patriot Act. There are reports of a lucrative multi-billion dollar AT&T product line called ‘Hemisphere’ that has been selling customer phone and internet records to the federal government and to local law enforcement agencies.

What I think all of this means is that we have seen the end, for a while of any government agency trying to provide privacy protection for customers. This mainly bothers me as a consumer more than as a consultant. I work entirely with smaller ISPs and none of them have the ability to use customer data in the same way that the big companies do. This latest FCC action only immediately affects perhaps the dozen largest ISPs.

There is a big functional different between ISPs and edge-providers like Facebook. An ISP can see every keystroke a customer makes on the web, except for those that are made inside some encrypted program. But almost nobody uses encryption and so your ISP knows every web site you visit, the contents of every email you write, and every query you make to a search engine. And they know even more about you from your cellphone records – where you traveled and when.

But the difference between Facebook and the ISPs is that nobody makes you use Facebook. I really hate the way that the big companies like Facebook and Google track everything you do inside their platforms. I dropped off Facebook last year partly for this reason. I also rarely use Google as a search engine and don’t use Gmail or Google’s Chrome web browser. I can largely avoid the big web companies, but I can’t avoid my ISP. And like most Americans I don’t have any real option but to use a big ISP for broadband access.

I’m probably like most Americans and don’t feel like I have a lot to hide. But that still does not mean that I want big companies following my every movement, my every purchase, my every email and every web site I visit. That has far too much “big brother” about it for my liking. I know today that this data is mostly being used to develop targeted marketing, but this information could also easily be used for nefarious purposes, and some of that is starting to happen.

As much as this reversal of the privacy rules bothers me as a consumer, the big picture here is that, for now, the big ISPs finally have the FCC they want. This FCC has already said it’s going to reverse or gut net neutrality. This FCC just said they aren’t going to review the AT&T and Time Warner merger. Killing the privacy rules is final proof, only a month after the new Chairman has been in charge, that the big ISPs are likely to get everything they want. And I don’t think that is a healthy thing for the industry or for consumers.

Like this:

A group of consumer and privacy groups has asked the FCC to begin enforcing customer privacy rules. In the industry this process is called CPNI (customer proprietary network information) when applied to telephone and cable TV.

Now that the FCC has classified broadband as a common carrier service, they have the authority to investigate and regulate broadband privacy issues. This is something that the industry needs. Until now there has been very limited regulation of broadband by the Federal Trade Commission since the FTC authority was drawn only from the Children’s Online Privacy Act. But the FCC now has much stronger authority.

Current CPNI rules for telephone and cable TV are focused to a large degree on billing issues and on protecting private data like social security numbers, credit card numbers or other sensitive customer information. There is also a prohibition against disclosing the details of what customers do with those services – such as the calls they make or the channels they watch. (Of course, I guess we now know that the NSA is immune from the obligation to protect telephone records).

As sensitive as privacy matters are in those areas there are larger concerns with broadband. What people do online is extremely personal and the vast majority of Americans think that details of their online life should not be recorded or sold to others.

There are a whole lot of places that the FCC could go with broadband CPNI over and above the normal protections of billing data. For example, what are the obligations of companies to notify people when there has been a data breach and customer information has been compromised? Should ISPs have to disclose to customers if they use their data for any purposes or sell it to others in any form? And if so, how much do companies have to disclose?

An ISP is in very powerful position with a customer. If they wish to record what a customer does online they know everything that the customer isn’t somehow encrypted. They are the first in line to see outgoing bits and the only one to see all of the incoming bits.

The FCC has already started some internal work on the topic and held a workshop. From there the FCC has a number of options. They can first solicit comment and ideas from the public to see what kinds of sentiments are out there. It seems for almost everything the FCC does there are two sides of opinion, and there will be those that are in favor of very strong rules and those in favor of a very light touch. But the FCC would do well to hear all of these opinions before trying to formulate specific rules.

But they do have the option to go straight to a rulemaking. They could propose specific CPNI rules and let everybody take pot shots at them. I’m suspecting that for something this new and different that they are going to want to hear all sides of the arguments first before developing rules. The FCC also might be slow-rolling this. The whole Title II regulatory process is under appeal in the courts and they might not want to go too far down any path until they feel more secure that the courts believe they have the authority to regulate broadband in this manner.

One thing that we can probably expect from the FCC is that whatever they do is going to apply to ISPs but not to what they call edge providers. That would be all of the companies like Google and Facebook that operate on the web and that are not under the Title II regulatory regime. I know that consumer groups are going to want that kind of protection because I think it’s generally assumed that it’s the edge providers – and not the ISPs – that are using and misusing people’s data today.